Information and Answers for Contracted Service Providers
A Contracted Service Provider (CSP) in the My Health Record system is an organisation that provides information technology services or health information management services in relation to the My Health Record system to a healthcare provider organisation, under contract to that organisation.
Note that a healthcare provider organisation is not required to contract any organisation to provide these services, but may choose to do so.
Conversely, a CSP in the Healthcare Identifiers (HI) Service plays a broader role in providing to a healthcare provider organisation information technology services relating to the communication of health information and/or health information management services. A contracted service provider recognised in the HI Service may not necessarily meet the definition of a contracted service provider in the My Health Record system, because they may not be providing services in relation to the My Health Record system.
Participation in the My Health Record system is voluntary, however in order to protect the privacy of individuals and the security and integrity of the My Health Record system, any entity wanting to participate in the system as a separate entity must be registered. This allows the System Operator to monitor access to the system and provides the System Operator with mechanisms to penalise inappropriate actions.
To be registered and participate as a contracted service provider in the My Health Record system, you must:
- Have a National Authentication Service for Health (NASH) Public Key Infrastructure (PKI) certificate (NASH PKI certificate) which can be obtained from the Department of Human Services.
- Be registered with the System Operator. Your organisation must apply to the System Operator (Australian Digital Health Agency) and provide specified information, and the System Operator will determine if your organisation meets the criteria.
- Comply with any My Health Records Rules that apply to contracted service providers which require your organisation to:
- Develop, maintain, enforce and communicate to staff written policy relevant to the My Health Record system to ensure that interaction with the My Health Record system is secure, responsible and accountable. These policies need to deal with matters such as authorising persons within the service provider to access the system, training, physical protection of IT system and so forth (as described in section 47 of the My Health Records Rules 2016).
- Review the policy mentioned above at least annually.
- Provide your service provider’s policy for a particular date to the System Operator upon request.
- Ensure your organisation uses reasonable IT user account management practices.
- Give the System Operator reasonable assistance in relation to any inquiry, audit, review, assessment, investigation or complaint regarding the My Health Record System.
- Not record or store a patient’s Record Access Code or Limited Access Code.
- Be linked to a registered Healthcare Provider Organisation, and tell the System Operator if you are no longer providing My Health Record system-related services to that Healthcare Provider Organisation.
- Only use the My Health Record system as instructed by the linked healthcare provider organisation.
- Maintain interoperability with the My Health Record system.
- Tell the System Operator within 2 days if you know or suspect that there is an error in a record your organisation has downloaded or accessed.
- Tell the System Operator within 2 days if there is a material change to your organisation as a legal entity. A material change includes the incorporation, merger or liquidation of the organisation.
- Have at least one CSP Officer appointed and tell the System Operator within 2 days if a person ceases to be a CSP Officer, their details changes or you appoint a new CSP officer.
- Tell the System Operator within 2 days if you have provided to the System Operator or uploaded to the system inaccurate provenance information in relation to the Healthcare Provider Organisation on behalf of which you access the My Health record system.
- Not hold, process or take records held for the purposes of the My Health Record system outside Australia or cause or permit another person to do so.
- Tell the System Operator if you know or suspect that there is a non-clinical My Health Record system-related error in a record your organisation has downloaded or accessed, or that the security of the system has been compromised by one of your employees (including contractors) or by your equipment.
- Comply with any conditions imposed on your registration by the System Operator.
- Ensure the IT system which you use to access the My Health Record system use conformant software when connecting to, and interacting with, the My Health Record system.
- Only collect, use or disclose My Health Record information as authorised (see Division 2 of part 4 of the My Health Records Act 2012).
- Not upload any information if it would infringe on the copyright of the owner.
- Tell the System Operator if you have been involved in any actual or potential data breach (i.e. an unauthorised collection, use of disclosure, or circumstances that may have contravened the system’s security or integrity).
- Tell the System Operator within 14 days if your organisation has ceased to be eligible to be registered (i.e. does not comply with the Rules or a condition imposed on its registration).
To register to participate in the My Health Record system, a contracted service provider must register with the Healthcare Identifiers (HI) Service as a contracted service provider using the Application to register a Contracted Service Provider Organisation Record form found on the Department of Human Services website. Additionally, the contracted service provider must also apply to the HI Service to obtain a NASH PKI certificate for a Healthcare Provider Organisation.
To access the My Health System, a contract service provider will need a National Authentication Service for Health (NASH) Public Key Infrastructure (PKI) certificate. To obtain a NASH PKI certificate, complete Part D of the Application to register a Contracted Service Provider (CSP) Organisation form, which can found here.
The My Health Record system uses different digital credentials from those used for the Healthcare Identifiers Service. The PKI certificate used for access to the Healthcare Identifiers Service cannot be used to access the My Health Record system.
The software used by an organisation to connect to the My Health Record system must have passed the Notice of Connection (NOC) requirements and the Compliance, Conformance and Accreditation (CCA) requirements. Contact your software vendor to find out whether your CSP and CIS (if used) software is already compliant with the My Health Record system.
More information about NOC and CCA requirements can be found at the NEHTA website.
From 1 March 2016 Contracted Service Providers (CSPs) no longer need to enter into a participation agreement with the My Health Record System Operator to register. The obligations previously imposed through this agreement are not set out in the My Health Record Rules 2016.
CSPs that registered before 1 March 2016 are still bound by their participation agreement. The My Health Record system operator will be contacting these service providers from March 2016 to make arrangement to terminate these agreements. In the meantime, although these service providers will be subject to obligations both in the participation agreement and in the Rules, the obligations are largely the same.
A Contracted Service Provider (CSP) Officer will act as the liaison between you, as a contracted service provider, and the My Health Record System Operator. The CSP Officer will be responsible for:
- Applying to register your CSP
- Requesting the cancellation of your CSP’s registration if the service provider is no longer operating in that capacity
- Updating their demographic details as a CSP officer
- Updating the details of your CSP
Your organisation must appoint at least one person as a CSP officer, although you can have as many as three CSP officers at any given time. A CSP officer will need to provide evidence of their identity when they apply to register your CSP. The officer will need to provide certified copies of documents which make up to 100 points, as described on the Application to register a CSP Organisation form.
If an individual is already registered in the HI Service in another capacity (e.g. as a Responsible Officer or Organisation Maintenance Officer of a Healthcare Provider Organisation), their existing details may be linked to a CSP using the Application to register a Contracted Service Provider Organisation form.
A Contracted Service Provider (CSP) only access the My Health Record system on behalf of and at the request of a healthcare provider organisation to which your CSP is linked. When you register as a CSP with the My Health Record system, you will be issued a CSP number. You must notify any healthcare provider organisation on behalf of which you will be accessing the My Health Record system of this CSP number. It is then up to the healthcare provider organisation to request that your organisation be linked to it.
The healthcare provider organisation can do this through Health Professional Online Services (HPOS) using their Individual PKI certificate enabled for the HI Service. If they do not have access to HPOS, they will need to complete and submit the Application to link or unlink a CSP to or from a Healthcare Provider Organisation record form.
Access HPOS on the Department of Human Services website: www.dhs.gov.au. To request the HPOS form, call 1800 723 471 (call charges apply from mobile phones), Monday to Friday between 8:30 am and 5:00 pm, local time.